i'm newer,i need you help my cfg can't output graph and i don't kown how to load a *bin as a project,thanks

Hi,
When I try to run the solve.py script to debug the GRUB back 28 vulnerability, the following errors are reported:

   File "/home/vancaho/test/grub/solve_grub.py", line 78, in <module>
  find_bug()
 File "/home/vancaho/test/grub/solve_grub.py", line 6, in find_bug
  p = angr.Project('crypto.mod', load_options={'main_opts': {'custom_base_addr': 0x8000000}})
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/project.py", line 128, in __init__
  self.loader.add_object(self._extern_obj)
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/cle/loader.py", line 284, in add_object
  base_addr = self._get_safe_rebase_addr()
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/cle/loader.py", line 329, in _get_safe_rebase_addr
  return self.max_addr() + (granularity - self.max_addr() % granularity)
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/cle/loader.py", line 399, in max_addr
  return max(map(lambda x: x.get_max_addr(), self.all_objects))
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/cle/loader.py", line 399, in <lambda>
  return max(map(lambda x: x.get_max_addr(), self.all_objects))
File "/home/vancaho/.virtualenvs/angr/local/lib/python2.7/site-packages/cle/backends/__init__.py", line 276, in get_max_addr
  return out + self.rebase_addr

How to solve this problem? Thanks a lot

android_arm_license_validation

It seems that in Mac OS 10.12.4, the result we get are not as expected , even in Ubuntu 16.04 on my server this result is still not as expected:

WARNING | 2017-05-03 11:41:57,782 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000. 
ABGAAWQAEEAAAAAA

According to the author's guide as http://www.vantagepoint.sg/blog/81-solving-an-android-crackme-with-a-little-symbolic-execution
The result string should be JQAE6ACMABNAAIIA, the worst is both ABGAAWQAEEAAAAAA and JQAE6ACMABNAAIIA could not pass in phone:

adb shell /data/local/tmp/validate JQAE6ACMABNAAIIA
Entering base32_decode
Outlen = 2
Entering check_license
Incorrect serial.

Does anyone have ideas that can help me with this?
Thank you

Right now there's very little documentation on how to use the NetworkX di-graph from angr. The current example in /docs/analyses/cfg.md that suggests print "This is the graph:", cfg.graph seems to print nothing.

Just using networkx.draw(...) will result in a horrible graph like this.

Any suggestions on how I could dump the graph to GraphML or JSON? Using json_graph.dumps(cfg.graph) results in TypeError("G is not a tree.").

When trying to run the example as is (from an up to date angr-dev docker image) the solve.py returns
"Totally not the password...@��@ �����"

When I run the yolomolo example, an error occurred as below.

/home/leizhao/.virtualenvs/angr/local/lib/python2.7/site-packages/pyvex/block.py:75: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
1)
Launching exploration
ERROR | 2016-11-10 18:49:27,830 | angr.simos | Syscall 101 is not found for arch AMD64
ERROR | 2016-11-10 18:49:27,832 | angr.simos | Syscall 101 is not found for arch AMD64
Traceback (most recent call last):
File "yolomolo-solve.py", line 42, in
assert main() == "HACKCON{VVhYS04ngrY}"
File "yolomolo-solve.py", line 35, in main
final = ex.found[0].state
IndexError: list index out of range

BTW, I found a similar issue (#91). The difference is that the error message of my example didn't include the segment fault.

Hi thanks for great work!

I was reading the API documents a few minutes ago, but suddenly most of contents can't be accessible now. Can you fix it? (http://angr.io/api-doc/index.html)

Hi,

I assume x86_64 architecture and code similar to this one:

int bar(int a, int b)
{
  <arithmetic operations in dependence on a and b>
 if (d == 100) // d depends on a and b
   return 1;

return 0;
}

My goal is to retrieve the inputs for a and b, stored in RDI and RSI such that 1 will be returned.

My code for that looks similar to

import angr
b = angr.Project(<binary>)
s = b.factory.blank_state(addr = <function start>)

pg = b.factory.path_group(s, immutable=False)
pg.explore(find=<address of return 1>)

s = pg.found[0].state

print s.se.any_int(s.regs.rdi)
print s.se.any_int(s.regs.rsi)

The returned values of RDI and RSI do not work, in the most cases. Therefore, should this approach work similary as described above or do I misunderstand something?

Minor change that might improve-
Arch doesn't appear to have mkvirtualenv. Maybe express in the docs that mkvirtualenv can be simulated as well by..

virtualenv angr
. angr/bin/activate

docs missing for Procedures in doc http://angr.io/api-doc/simuvex.html#module-simuvex.procedures

It looks like Angr has a tendency to chew up all CPU and memory resources. One one hand that's good because it's utilizing all available resources. The problem is that on two separate computers now (and separate binaries), angr has managed to completely lock up the system to the point where I have to hard reset it. There should likely be some sort of memory management ability for the program to either cancel out when it has eaten up too much memory, stop taking up more memory, etc.

i use the docker for angr( angr/angr ), it works well. now i want to update some library, can you give us the passwd for root then?

error：angr.analyses.cfg | AngrError Cannot create run following jumpkind Ijk_SigFPE_IntOvf when creating SimRun at 0x40a9dc
what should i do ? thanks

Hi Shellphish,

This issue is not really in angr, but it is related. In the page http://angr.io, your first citation has the wrong year, 2015 instead of 2016.

@Article{shoshitaishvili2016state,
title={SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis},
author={Shoshitaishvili, Yan and Wang, Ruoyu and Salls, Christopher and Stephens, Nick and Polino, Mario and Dutcher, Andrew and Grosen, John and Feng, Siji and Hauser, Christophe and Kruegel, Christopher and Vigna, Giovanni},
booktitle={IEEE Symposium on Security and Privacy},
year={2015}
}
Sorry for submitting an issue only for a typo, I do it with the best intention, because I wish you tons of citations.
By the way, congratulations for this paper and the project! :)
I hope I get the chance to meet you these days in IEEE S&P.

Yoalli

Now that we have angr on Docker, we can use Travis CI to pull the latest image and test all the examples. (By itself, I think Travis CI is too slow to build angr and timeouts.)

Is there currently a script somewhere that runs all the examples, or should I write one?

• http://bencane.com/2016/01/11/using-travis-ci-to-test-docker-builds/
• https://docs.travis-ci.com/user/docker/
• https://blog.travis-ci.com/2015-08-19-using-docker-on-travis-ci/

Paging @zardus since we briefly spoke about this on IRC.

ERROR | 2016-04-06 23:40:03,206 | angr.analyses.cfg | Caught an AngrError during CFG recovery at 0x40b768 (.text)
raise PyVEXError(ffi.string(pvc.last_error) if pvc.last_error != ffi.NULL else "unknown error")
angr.errors.AngrTranslationError: ('Translation error', <class 'pyvex.PyVEXError'>, PyVEXError('exception in VEX (see console)',))
I can print the CFG of examples in the github ,but when i load a binnary myself(DLink's webs) ,it is error

Hey,

So this is probably a user error, but I created a binary to test my understanding of angr. Basically, all it does is ask for input, then check that against a static "P@ssword", and branch accordingly. I've been able to get angr to find the path just fine, but I can never get it to tell me that the only way to get through to that path is to use the "P@ssword".

Here's my simple script:
import angr
import simuvex
b = angr.Project("a.out")
e = b.surveyors.Explorer(find=(0x400695))
e.run()
s = e.found[0].state
s.se.any_str(s.memory.load(s.regs.rbp-0x110,16))

The C code is this (gcc test.c):

include <stdio.h>

int main() {
char buf[256];
printf("Enter password: ");
gets(buf);
if (strcmp(buf,"P@ssword")) {
printf("%s is correct\n",buf);
}
else {
printf("%s is incorrect\n",buf);
}
return 0;
}

The examples are being overwhelmed with similar "start here, explore to here, print flag" writeups. These are good to have for testing, because they tend to explore different types of code, help us keep writeups working as angr evolves, and so on, but they're redundant for people trying to learn angr.

I think we need to have an "Examples Showcase" that shows unique examples, and a "Additional Examples" section that contains redundancies for CI (and curious readers). Putting this issue as a placeholder for now. Next step is building the list.

Dear all,

I took angr to symbolically execute an example in the veritesting paper,
after has run for about 1h 30m, angr outputs "killed".
What does it mean?

Thanks.

(angr)angr@c06036219af2:~/angr-dev/angr-doc/examples/hackcon2016_angry-reverser$ python solve.py 
Launching exploration
ERROR   | 2016-09-12 17:20:39,947 | angr.simos | Syscall 101 is not found for arch AMD64
ERROR   | 2016-09-12 17:20:39,950 | angr.simos | Syscall 101 is not found for arch AMD64
Traceback (most recent call last):
  File "solve.py", line 42, in <module>
    assert main() == "HACKCON{VVhYS04ngrY}"
  File "solve.py", line 35, in main
    final = ex.found[0].state
IndexError: list index out of range
Segmentation fault (core dumped)
(angr)angr@c06036219af2:~/angr-dev/angr-doc/examples/hackcon2016_angry-reverser$ pip list
ana (0.02, /home/angr/angr-dev/ana)
angr (5.6.8.22, /home/angr/angr-dev/angr)
angr-management (4.6.6.28, /home/angr/angr-dev/angr-management)
angr-only-z3-custom (4.4.1.post4)
archinfo (5.6.8.22, /home/angr/angr-dev/archinfo)
argparse (1.2.1)
astroid (1.4.8)
atom (0.3.10)
backports.functools-lru-cache (1.2.1)
backports.shutil-get-terminal-size (1.0.0)
backports.ssl-match-hostname (3.5.0.1)
bintrees (2.0.4)
cachetools (1.1.6)
capstone (3.0.4)
cffi (1.8.2)
claripy (5.6.8.22, /home/angr/angr-dev/claripy)
cle (5.6.8.22, /home/angr/angr-dev/cle)
configparser (3.5.0)
cooldict (1.02, /home/angr/angr-dev/cooldict)
coverage (4.2)
decorator (4.0.10)
distribute (0.7.3)
dpkt-fix (1.7)
enaml (0.9.8)
enum34 (1.1.6)
future (0.15.2)
futures (3.0.5)
idalink (0.10, /home/angr/angr-dev/idalink)
ipdb (0.10.1)
ipython (5.1.0)
ipython-genutils (0.1.0)
isort (4.2.5)
kiwisolver (0.1.3)
lazy-object-proxy (1.2.2)
mccabe (0.5.2)
monkeyhex (1.1, /home/angr/angr-dev/monkeyhex)
mulpyplexer (0.07, /home/angr/angr-dev/mulpyplexer)
networkx (1.11)
nose (1.3.7)
nose-timer (0.6.0)
pathlib2 (2.1.0)
pefile (2016.3.28)
pexpect (4.2.1)
pickleshare (0.7.4)
pip (1.5.4)
plumbum (1.6.2)
ply (3.9)
progressbar (2.3)
prompt-toolkit (1.0.7)
ptyprocess (0.5.1)
pycparser (2.14)
pyelftools (0.24)
Pygments (2.1.3)
pylint (1.6.4)
pyvex (5.6.8.22, /home/angr/angr-dev/pyvex)
rpyc (3.3.0)
setuptools (27.1.2)
simplegeneric (0.8.1)
simuvex (5.6.8.22, /home/angr/angr-dev/simuvex)
six (1.10.0)
superstruct (1.0, /home/angr/angr-dev/superstruct)
termcolor (1.1.0)
traitlets (4.3.0)
unicorn (1.0)
wcwidth (0.1.7)
websocket-client (0.37.0)
wrapt (1.10.8)
wsgiref (0.1.2)

Pinging @P1kachu (#87).

• Fix rst syntax errors that have piled up in the docstrings
• Make sure that all the modules are actually included in the docs
• Add docstrings at the top of individual modules
• Add narrative documentation into api-doc/source/*.rst
• sphinx-doc/sphinx#3408
• sphinx-doc/sphinx#1592
• sphinx-doc/sphinx#4676
• Add some form of api-doc compile/lint to CI

Would be good to add one or two practical examples of using angr.analyses.backward_slice.BackwardSlice; at the moment there's only backward_slice.md (which is nicely written, but doesn't show a "real-world"/CTF situation).

I'll probably end up doing this in a few weeks, but figured I should put this up anyway in case somebody already has an example.

This might sound obvious, but there is no real section where each kind of path is at least defined. What is a ${type} path ? In which case is it useful ?
It can be interesting to clearly have an explanation on that, to avoid looking for example only at found path when your answer is in a deadended one.

I would have taken care of it myself if I wasn't one of the people that don't know what these types are :)

Hi, when trying to execute the insomnihack example am getting this error:

(angr)symeon@ubuntu:~/angr/angr-dev/angr-doc/examples/insomnihack_aeg$ python simple_aeg.py demo_bin
Warning: FastBinaryTree not available, using Python version BinaryTree.
Warning: FastAVLTree not available, using Python version AVLTree.
Warning: FastRBTree not available, using Python version RBTree.
INFO    | 2016-04-16 13:44:03,850 | insomnihack.simple_aeg | looking for vulnerability in 'demo_bin'
INFO    | 2016-04-16 13:44:20,116 | insomnihack.simple_aeg | found some unconstrained paths, checking exploitability
INFO    | 2016-04-16 13:45:23,301 | insomnihack.simple_aeg | found some unconstrained paths, checking exploitability
INFO    | 2016-04-16 13:45:25,248 | insomnihack.simple_aeg | found some unconstrained paths, checking exploitability
INFO    | 2016-04-16 13:45:25,251 | insomnihack.simple_aeg | found a path which looks exploitable
INFO    | 2016-04-16 13:45:25,251 | insomnihack.simple_aeg | attempting to create exploit based off path
INFO    | 2016-04-16 13:45:25,251 | insomnihack.simple_aeg | found symbolic buffer at 0xc0000c20
INFO    | 2016-04-16 13:45:25,260 | insomnihack.simple_aeg | found buffer for shellcode, completing exploit
INFO    | 2016-04-16 13:45:25,261 | insomnihack.simple_aeg | pointing pc towards shellcode buffer
Traceback (most recent call last):
  File "simple_aeg.py", line 116, in <module>
    sys.exit(main(sys.argv[1]))
  File "simple_aeg.py", line 108, in main
    f.write(ep.state.posix.dumps(0))
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/posix.py", line 372, in dumps
    return self.state.se.any_str(self.get_file(fd).all_bytes())
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 297, in any_str
    ans = self.any_n_str(e, 1, extra_constraints=extra_constraints)
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 306, in any_n_str
    return list(self.any_n_str_iter(e, n, extra_constraints=extra_constraints, exact=exact))
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 302, in any_n_str_iter
    for s in self.eval(e, n, extra_constraints=extra_constraints, exact=exact):
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 73, in autoed_f
    return ast_stripping_op(f, self, *args, **kwargs)
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 43, in ast_stripping_op
    r = _actual_ast_stripping_op(f, *args, **kwargs)
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/s_action_object.py", line 36, in ast_stripping_op
    return f(*new_args, **new_kwargs)
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 80, in wrapped_f
    return f(self, *args, **kwargs)
  File "/home/symeon/angr/angr-dev/simuvex/simuvex/plugins/solver.py", line 244, in eval
    return self._solver.eval(e, n, extra_constraints=self._adjust_constraint_list(extra_constraints), exact=exact)
  File "/home/symeon/angr/angr-dev/claripy/claripy/frontends/caching_frontend.py", line 344, in eval
    self._eval(e, n_lacking, extra_constraints=solver_extra_constraints, exact=exact, cache=cache)
  File "/home/symeon/angr/angr-dev/claripy/claripy/frontends/full_frontend.py", line 89, in _eval
    raise UnsatError('unsat')
simuvex.s_errors.SimUnsatError: ('Got an unsat result', <class 'claripy.errors.UnsatError'>, UnsatError('unsat',))

Am I missing something? Does it work for you? Thanks.

Dear all,

I want to make the generated input be similar with the given input as much as possible.
To implement it, what I thought is to remove the replacements of input preconstraints one by one, and then to ask the solver SolverReplacement to solve repeatedly.

Is there an API function that can be used to re-solve the constraints when the constraints or pre-constraints are changed?

Thank you very much.

Hi, I just searched for an explanation of the graphical output from DDG and DFG but I didn't find any.
So here are my questions to the DDG and DFG png output files:

• In DDG and DFG a node consists of 3 sections. For what does each section stand?
• What is the meaning of green colored nodes?
• How is a edge interpreted(in witch direction works the dependency)?
• What is the meaning of blue/black/red//green or doted edges in DDG and DFG?
• What is the meaning of "kill" of an edge or other markings?

Maybe you can add a legend for the graphical representation to the documentation.
Best regards :-)

From Data Dependency Graph analysis, there are no documentation provided. It would be great if you can provide some documentation on analysis and implementation for that analysis.

Hi Guys,

I am pretty new to angr. I think it's really cool. I wrote some basic code for testing a shellcode. The source is as follows:

import angr

bp = 0x401010

def check(path):
    if path.state.ip.args[0] == bp:
        return True
    else:
        return False

b = angr.Project('shellcode.exe')
state = b.factory.entry_state()
pg = b.factory.path_group(state)

pg.explore(find=check)
found = pg.found[0]

print len(pg.found)

The shellocode disassembly looks like this:

.text:00401000 start           proc near
.text:00401000                 jmp     short loc_401012
.text:00401000 start           endp
.text:00401000
.text:00401002
.text:00401002 ; =============== S U B R O U T I N E =======================================
.text:00401002
.text:00401002 ; Attributes: noreturn
.text:00401002
.text:00401002 sub_401002      proc near               ; CODE XREF: sub_401002:loc_401012�p
.text:00401002                 pop     ebx
.text:00401003                 dec     ebx
.text:00401004                 xor     ecx, ecx
.text:00401006                 mov     cx, 296h
.text:0040100A
.text:0040100A loc_40100A:                             ; CODE XREF: sub_401002+C�j
.text:0040100A                 xor     byte ptr [ebx+ecx], 9Ch
.text:0040100E                 loop    loc_40100A
.text:00401010                 jmp     short loc_401017
.text:00401012 ; ---------------------------------------------------------------------------
.text:00401012
.text:00401012 loc_401012:                             ; CODE XREF: start�j
.text:00401012                 call    sub_401002
.text:00401017 ; ---------------------------------------------------------------------------
.text:00401017
.text:00401017 loc_401017:                             ; CODE XREF: sub_401002+E�j
.text:00401017                 pop     ds
.text:00401018                 js      short loc_401086
.text:0040101A                 lodsd
.text:0040101B                 push    ebp
.text:0040101C
.text:0040101C loc_40101C:                             ; CODE XREF: sub_401002+5B�j

The shellcode XORs the obfuscated block of code starting at 0x401017. My test angr script should be able to stop right before jumping into the deobfuscated code at 0x401010, which allows me to inspect deobfuscated code. But instead I've got the following error paths.

>> pg.errored
[<Errored Path with 667 runs (at 0x4010f8, AngrExitError)>, <Errored Path with 667 runs (at 0x401098, AngrExitError)>]

Since there are only a couple of direct jumps till the 0x401010, angr shouldn't attempt to parse the obfuscated block (that contains gibberish-looking code before deobfuscation). But it appears that's what angr is doing there. I might be wrong. See more error details below.

>> pg.errored[0].error
AngrExitError('IR decoding error at 0x4010f8. You can hook this instruction with a python replacement using project.hook(0x4010f8, your_function, length=length_of_instruction).',)
>> pg.errored[1].error
AngrExitError('Cannot create run following jumpkind Ijk_SigTRAP',)

Please find the shellcode in the zip (pw: infected). Any comment will be greatly appreciated.

shellcode.exe.zip

In [10]: claripy.BVV(0x00000001, 32).reversed
Out[10]: <BV32 0x1000000>

I'd have expected <BV32 0x80000000>, reversing the order of bits in a word.

The documentation says that the Reverse operation "Reverses a bit expression."

I understand why the operation does what it does, reverse by byte for an endian flip, but the naming and documentation could use improvement. When I first saw it as output in a symbolic expression I was really confused, "why would this code flip all the bits around".

After : b = angr.Project('/bin/true', load_options={'auto_load_libs': False})
cfg = b.analyses.CFGAccurate(keep_state=True)
ddg = b.analyses.DDG(cfg)
ddg.data_graph.nodes()[0] # It outputs A: <<Reg 144 8> @ <0x401646 0x401646(11)>>
ddg.graph.nodes()[0] # It outputs B: <0x403664 0x403645(44)>

Whats a interpretation of A and B, what each element stands for. Thanks in advance.

function_manager no longer exists, so the example doesn't work. angr/angr#195

Reported in https://lists.cs.ucsb.edu/pipermail/angr/2017-January/000278.html

Hi,
I found that angr is able to detect type through static analysis ( full-program static analysis (i.e., type inference, program slicing)). Could you please give an example that how anrg can be use for type inference?

Thank you for your support and time.

Might be pefile related.

Right now there's no examples of using gdb with angr. If you happen to have one you can share, please do. =)

After this spate of deadlines, we really need to update docs for path groups, exploration techniques, etc. The existing stuff is really out of date.

Traceback (most recent call last):
File "backward_slice.py", line 10, in
from ..annocfg import AnnotatedCFG
ValueError: Attempted relative import in non-packag
but my files has the annocfg.py,why?

OS Ubuntu 16.04 LTS amd64 dist-upgraded to current.
while trying a verifiation run on the install, Angr appears to get most of the flags in the cmu_binary_bomb example, but blows a lot of error messages regarding simuvex analyzing a statement (10)...

python version is 2.7.12

installed via pip install angr

attached is the output from the run showign the error message.

output.txt

Ideally after I/we fix up the Windows build, we should be running the same tests as #51 but with Appveyor.

our goal is to get travis running on all the angr components, then use appveyor for Windows if we ever get a good windows release going

• @zardus

there is something wrong with "Defcamp CTF Qualification 2015 - Reversing 200" sample code.

after update to latest version, it through an error like this

ERROR | 2016-01-13 21:48:23,492 | angr.analyses.cfg | SimError:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/angr/analyses/cfg.py", line 776, in _get_simrun
sim_run = self.project.factory.sim_run(current_entry.state, jumpkind=jumpkind)
File "/usr/local/lib/python2.7/dist-packages/angr/factory.py", line 114, in sim_run
r = sim_proc_class(state, addr=addr, sim_kwargs=kwargs)
File "/usr/local/lib/python2.7/dist-packages/simuvex/s_procedure.py", line 227, in new
raise SimProcedureError("Tried to run simproc continuation with empty stack")
SimProcedureError: Tried to run simproc continuation with empty stack

Seems that the script in its current form is broken. I am simply trying to execute the example and it fails to find a solution.

Traceback (most recent call last):
File "./poc.py", line 57, in
print(repr(main()))
File "./poc.py", line 47, in main
found = path_group.found[0] # In our case, there's only one printable solution.
IndexError: list index out of range

Hello!
I'm trying to solve phase 6 with angr but I get a lot of warnings like the following and angr actually never finishes the execution.

WARNING | 2016-12-21 23:09:53,895 | simuvex.vex.irsb | <SimIRSB 0x401176> hit an error while analyzing statement 3
SimMemoryAddressError: Unable to concretize address for load with the provided strategies.

What am I doing wrong?

This is the script I've done (still a WIP so some constraints are missing).

import angr, logging, claripy, simuvex
from IPython import embed

class custom_hook(simuvex.SimProcedure):
    def run(self, addr):
        for i in range(6):
            bvs = claripy.BVS("int{}".format(i), 8*4*6, explicit_name=True)
            self.state.add_constraints(bvs.get_bytes(0, 4) >= 1, bvs.get_bytes(0,4) <= 6)
            self.state.memory.store(bvs, addr+i*4, endness=self.state.arch.memory_endness)
        return addr

def solve_flag_6():
    start = 0x4010f4
    read_num = 0x40145c
    find = 0x4011f7
    avoid = (0x4011e9, 0x401140, 0x401123,)
        
    p = angr.Project("./bomb", load_options={'auto_load_libs':False})
    p.hook(read_num, custom_hook)
    state = p.factory.blank_state(addr=0x4010f4)
    pg = p.factory.path_group(state, threads=4)
    pg.explore(find=find, avoid=avoid)
    print(pg)
    return 0
    
def main():
    print("Flag 6:" + str(solve_flag_6()))

if __name__ == '__main__':
    logging.getLogger('angr.path_group').setLevel(logging.DEBUG)
    main()

Thanks guys!

The link in the readme to orgy.md is broken. Is the orgy component even in the repo?
If not, how would you suggest to do distributed analysis with angr?

The link to distributed analysis can not be used any more. How to do such analysis?

I downloaded the angr docker image but none of the examples under angr-doc work. It's more like they can't find any solutions.

(angr)angr@096d8358f98d:~/angr-dev/angr-doc/examples/securityfest_fairlight$ python solve.py 
WARNING | 2016-09-26 10:14:40,092 | cle.relocations | Unknown reloc 6 on AMD64
WARNING | 2016-09-26 10:14:40,092 | cle.relocations | Unknown reloc 7 on AMD64
Traceback (most recent call last):
  File "solve.py", line 33, in <module>
    main()
  File "solve.py", line 24, in main
    found = path_group.found[0]
IndexError: list index out of range

I run it on a Mac OS X sierra.

As @zardus mentioned in #66, it might be fun to write an angr class/course that helps new users progress from basic to complex reverse/crackmes. It would be similar to examples.md, but with the binaries and scripts explained in more detail.

My question is, where do you guys want to put this? In angr-doc? In a new repo?

I wrote a simple ReverseMe progam just like the example of Baby-re.
Beside, I wrote a similar script just like that of the Baby-re.

However, the script hangs in my platform (ubuntu-16.04), whereas it works well in another platform of Mac.

So, does Angr depend on some particular features of architectures?

With pg.explore(find = find), I can generate the target path as pg.found[0].

If I want to get the exercised path objects of pg.found[0], how could I do?

I know the addresses of execrised blocks can be accessed by path.addr_trace[], for path objects, how to access them？

Thanks.

The documentation on loading gives me the impression that the base address for a binary will be detected and everything will be updated accordingly. This isn't happening in the following example from the DEFCON qualifiers:

https://github.com/ctfs/write-ups-2015/blob/master/defcon-qualifier-ctf-2015/reverse/pr0dk3y/pr0dk3y_40687b492c80205cccb34db1eabf6456?raw=true

angr (CLE loader of course), is telling me the following:

hex(b.loader.main_bin.get_min_addr())
'0x400000'

hex(b.loader.main_bin.entry)
'0x400a60'

However, readelf is telling me:
$ readelf -l pr0dk3y | grep -i load
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
LOAD 0x0000000000002de0 0x0000000000202de0 0x0000000000202de0

$ readelf -h pr0dk3y | grep Entry
Entry point address: 0xa60

Is this expected behavior? If so, perhaps there should be some way to warn the user that angr is at a different base address than anything else that runs it.